Wednesday, July 15, 2009

Firefox 3.5 unicode stack overflow PoC

Firefox 3.5 unicode stack overflow PoC disclosed in milw0rm


This is second PoC published in milw0rm for Firefox 3.5

Reference
at 9:52 AM 0 comments
Labels: , ,

Spam ** 15 July

Suspicious Spam domains:

http://aigekiko.cn/
http://www.aisqsjzo.cn
http://d9100.zjulivaw.cn/
http://iq.zoka.cc/iq-hu.html
http://syojousukui.0catch.com/
http://www.amfmetal.com/
http://www.yavonsu.com/
http://www.limayar.com/
http://yuletell.com/
http://dadvary.com/
http://www.yavonsu.com/
http://www.limayar.com/
http://latespruce.com/
http://www.thegathering2009.com/
http://page.jpahebug.cn/
http://amc2001.intway.info/
http://sweetcould.com/
http://untilmaster.com/
http://rcstly.2008usteamworld.com/t
http://lwiqaxut.cn/
http://www.ckoxemoj.cn/
http://www.muryou-on-love.com/
http://0fc1.jzudeqap.cn/

at 9:25 AM 0 comments
Labels:

Microsoft Tuesday Patch July 2009

Microsoft issued six Security Bulletins on Tuesday. Three of vulnerabilities are rated "Critical" and other three are rated "Important". All these three critical vulnerabilities have remote code execution impact and hacker potentially gain control over infected machines.



Microsoft Security Bulletin Summary for July 2009

Published: July 14, 2009

Version: 1.0

This bulletin summary lists security bulletins released for July 2009.

With the release of the bulletins for July 2009, this bulletin summary replaces the bulletin advance notification originally issued July 9, 2009. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft is hosting a webcast to address customer questions on these bulletins on July 15, 2009, at 11:00 AM Pacific Time (US & Canada). Register now for the July Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.


Reference: http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx

at 3:35 AM 0 comments
Labels: ,

Tuesday, July 14, 2009

Microsoft Exploit ** OWC10.Spreadsheet ActiveX

Another Microsoft Office Web Components (OWX10.Spreadsheet) (owc10.dll) 0Day ActiveX revealed in wild and spread fast especially in China. The vulnerability named as OWX10.Spreadsheet msDataSourceObject Stack Overflow Exploit.

Malicious link: hxxp://www.fdsdffdfsf.cn/of.htm
After lookup, fdsdffdfsf.cn domain (59.34.198.57) and another few domains were blacklisted.

Other domains:
www.dgfdffdfs.cn
www.fdasfadf.cn
www.eweerwerre.cn
www.45sf8.com
www.520458.com



Content for "a.js"

After decode - malicious link (Trojan) hxxp:///new.exe


According to Virustotal, only 70.74% (29/41) of various scanners able to detect this malware file.



Reference: safelab.spaces.live.com
at 10:20 AM 0 comments
Labels: ,

Mozilla Firefox-3.5 Heap Spray Vulnerability

Reference: Milw0rm


Heap Spray....
at 7:34 AM 0 comments
Labels: , ,

Spam ** 14 July

Spamming domains:

www.buyonline-med.cn
www.hjdsgkjshgirtg.com
www.12345wathces.com
www.xababaa.cn
www.generic-rx.cn

www.blanksweet.com
www.airmlqro.cn
www.loadcup.com
www.online-medd.cn
www.megasalesnow.cn
e89.ailsnjro.cn
057.aibnryuo.cn
808.aiehgygo.cn
b27.aijuydco.cn
88d0a.aijuydco.cnsubscibe
un.ktovegur.cn
thj94.mjehawij.cn

at 7:31 AM 0 comments
Labels:

Friday, July 10, 2009

Combination Exploit and Spam ..."cinesc.com.br", "illusionfest.ru", "mp3musicsool.ru" and "qajtogap.cn"


New combination attack vector unveil, http://cinesc.com.br/ddjg.html website contain redirect link to spam's Canadian Pharmacy (qajtogap.cn) and contain obfuscated iframe link using DOM to redirect exploit sitehttp://illusionfest.ru/coperfild.html.


Figure 1 http://cinesc.com.br/ddjg.html


Figure 2 qajtogap.cn


Figure 3: Decode


Copy below link and replace symbol "#", "@" and "!" with blank and will end result like figure 4 and unescape to get link showed in figure 5
#%@!6!8!#%@!7!4!#%@!7!4!#%@!7!0!#%@!3!a!#%@!2!f!#%@!2!f!#%@!6!9!#%@!6!c!#%@!6!c!#%@!7!5!#%@!7!3!#%@!6!9!#%@!6!f!#%@!6!e!#%@!6!6!#%@!6!5!#%@!7!3!#%@!7!4!#%@!2!e!#%@!7!2!#%@!7!5!#%@!2!f!#%@!6!3!#%@!6!f!#%@!7!0!#%@!6!5!#%@!7!2!#%@!6!6!#%@!6!9!#%@!6!c!#%@!6!4!#%@!2!e!#%@!6!8!#%@!7!4!#%@!6!d!#%@!6!c!

Figure 4 Unicode



Figure 5 exploit links http://illusionfest.ru/coperfild.html

http://illusionfest.ru/coperfild.html
Level 1: http://illusionfest.ru/sobolinghel.html
Level 2: http://mp3musicsool.ru/travel/index.php
Level 3: http://mp3musicsool.ru/travel/inEthicsIs.pdf
Level 3: http://mp3musicsool.ru/travel/bcWebSimply.swf
Level 4: http://mp3musicsool.ru/travel/update.php


Few potential suspicious domaisn using mp3musicsool.ru as nameserver under another name:

daratop.cn
dcn5100.com
degunter.cn
dresstott.cn
google-anallytics.cn (211.95.78.98)
killxp.cn
orzsystem.cn
vkreinting.cn
xuyloknite.com.cn
yahoo-robots.cn (211.95.78.98)


Visiting to that website is enough to infect your systems especially if visitors don't have latest Acrobat Reader and SWF Flash. Javascript embedded within the pdf or flash file will cause to download malicious executable file from http://mp3musicsool.ru/travel/update.php (Unable to download). For information, the pdf file will exploit Adobe util.pritf and Adobe getIcon function.


..the end
at 3:02 AM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)